Omnichannel Retail: Is Your Store Technology Secure?
Information security is one of the top priorities of IT departments at companies in every industry — and with good reason. Cyberattacks are on the rise, and they are becoming increasingly sophisticated.
In this series of articles, we’ll look at the specific security issues and challenges facing a number of industries and types of companies. This first installment focuses on one of the most highly targeted sectors when it comes to security breaches: retail.
Emerging retail reality
In the “old days” of retail, merchants mainly had to guard against losses from random shoplifters and dishonest staff, as well as from the accidental loss of goods. These incidents still pose financial threats for brick-and-mortar stores, but the modern merchandiser has a lot more to worry about.
In addition to these sources of loss, retailers face digital security issues that are an ever-growing concern, particularly as online and mobile shopping options become more popular with consumers.
“Historically, retailers have focused on physical security in stores, and spent less of an effort to ‘get ahead’ of threats in the digital world,” says Erik Bilicki, national retail practice leader at Insight.
Risks of multiple storefronts
“The more fronts a retailer has, the more threats that the retailer is faced with,” Bilicki says. “In-store systems, vendors’ connected systems, Web sites, multiple apps — each platform and variation creates an additional level that has to be secured and monitored, and introduces more opportunities for attacks and breaches than ever before.”
Recently we’ve seen an unprecedented level of cyberassault on retailers. Several major breaches made the headlines, and retailers have reported tens of millions of customer records and credit cards exposed.
Among the most well-known companies in the sector to be hit with data breaches are Target, Home Depot, Michael’s, Kmart, Staples and Neiman Marcus. In some cases, these incidents have had long-term impact on the companies.
For example, the attack on Target in late 2013 was so extensive that the company continues to be plagued by financial repercussions. The retailer was hit with a data breach resulting in the theft of credit card information, including payment information, names, phone numbers and email addresses, from millions of customers.
It was recently reported that Target was nearing a data breach settlement with Visa, in which card issuers would be reimbursed by as much as $67 million. Target had earlier announced that it incurred breach-related expenses of $4 million in the fourth quarter 2014 and full-year net expense of $145 million, which reflects $191 million of gross expense only partially offset by the recognition of a $46 million insurance receivable.
The retail sector is a natural target for financially motivated attacks, given that it involves the transfer of large amounts of money, whether in physical stores or on the Internet. Because so many consumers use payment cards to make purchases, there are many opportunities for the theft of data to be leveraged for fraudulent activity.
Omnichannel security done right
Despite the widespread efforts to comply with industry security regulations, such as the Payment Card Industry Data Security Standard (PCI DSS 3.0) — a proprietary security standard for companies that handle cardholder information for major credit, debit and other payment cards — cybercriminals have clearly taken retailers such as Target by surprise. And while the Europay, Mastercard, Visa (EMV) mandate, effective Oct. 1, 2015, in the U.S. will help, there are still security cracks in the chip-and-signature cards.
Whether or not a retailer has been breached, it’s clearly time to look for gaps in existing security programs by conducting a security assessment and addressing all vulnerabilities. Retailers, especially those that are adopting an omnichannel approach to their businesses, need to take a comprehensive, consistent approach in order to stay a step ahead of ever-evolving cyberthreats.
Research firm Forrester has developed a maturity model that provides functional explanations and evaluation criteria for all aspects of a complete information security organization. It provides the foundation for Forrester’s IT security-and-risk program assessment engagements and offers clients a comprehensive self-assessment tool.
The Forrester Information Security Maturity Model (October 2014) provides a framework that describes all of the required functions and components of a comprehensive security program. With a three-tiered hierarchy, it also offers a methodology for evaluating the maturity of each component of the framework on a consistent and prescriptive maturity scale. This enables reporting to a level of detail that can be adjusted for various audiences.
Other essential safeguards
One of the keys retailers need for strong security is awareness, Bilicki says. “This awareness is necessary not just on a technical side, but on the operational side as well,” he says. Make sure that teams across the enterprise are aware of security requirements and build systems with security in mind, he says.
It’s also important to ensure that there are sufficient resources allocated to security and active monitoring of the retailer’s systems, whether through an internally resourced team or by partnering with a service provider. In addition, maintain vigilance, compliance, up-to-date patches, training across the enterprise and auditing, Bilicki says.
“While it may cost a retailer a large investment up front to implement and maintain appropriate levels of security, ultimately the costs incurred from a breach resulting from not being sufficiently proactive will likely be exponentially higher, especially when taking into account consumer confidence and their willingness to spend their dollars at the retailer,” Bilicki says.
Priorities for retail CIOs
Given the number of data breaches in the industry, it’s not surprising that retail CIOs have made security a top priority for 2015.
Managing data security is the most urgent focus for retail CIOs, according to the 2015 National Retail Federation/Forrester Research Inc. “Retail CIO Agenda 2015: Secure and Innovate report.” Of the 84 retail IT leaders surveyed in December 2014, 97 percent placed it at the top of their 2015 priority lists.
At the same time, retailers are heavily focused on supporting multiple selling channels. The report found that 76% of those surveyed highlight integrating selling channels (e-commerce, mobile, social, catalog and stores) as the No. 2 business priority for 2015, up from 61% in 2014.
“With the role of the CIO evolving further as a company’s strategic technology innovation leader, the complexity of business challenges cannot be overlooked — from data security to new digital customer experiences,” said Tom Litchford, vice president of retail technologies at the National Retail Federation, the world’s largest retail trade association.
Get in touch with Insight at 1.800.INSIGHT to learn more about retail security. If you're still researching on your own, find answers to your pressing security questions and discover background information that will help you make a well-informed decision. Once you're ready, take the Forrester security assessment here.